I asked a colleague once how to answer those silly questions, you know,
the ones banks and other sites like to use to reset passwords? They're
used to verify you are, who you say you "were." Well, my bank at the
start of the year had introduced some security enhancements to their
site and also required me to choose and answer five
questions.
So today, I'm in a hurry and want to login to my bank account before I
head off to class and before taking me to my account, it asks me "What
is your favorite movie?" Ummm, okay.. What did I put? I completely
forgot! My favorite movies change frequently, and I ended up going
through Facebook and MySpace profiles to try and remember what my
favorite movie could be (I have so many??), and no luck! After about
trying fifteen different titles (are the answers case sensitive?), the
page displays a notice that my online account has been disabled and call
some number to unlock it.
What bullshit! And this happened to someone who's relatively "security
aware" (in my opinion). I felt the frustration so many of our own users
feel when they do not remember that stupid, ridiculously
hard-to-remember password we make them change every 45 days. The problem
is that my bank likes to randomly pick and choose when to ask you these
questions. In my case, it was extremely frustrating.
Oh, and almost immediately after I got locked out of my account, one of
my instructors had reminded of a quote from my favorite movie.. Want to
know what it was?? Yeah, that's right...
Office Space.
Posted by Marcin on Wednesday, April 4, 2007 in
Intelligence,
Privacy and
Security.
Expanding on my previous blog post regarding export control and how it
is defined, there are several other factors to take into consideration
to help ensure compliance.
- Record Keeping
- All export records must be kept for five years after license
expiration, even if no license required (NLR).
- Maintain a log of all exports (e.g. method of transport,
supplement technical data)
- Keep a copy of the invoice, bill, and data exported if physically
exported
- Keep a record of servers, usernames, and data sent when using any
electronic medium
- Hiring Foreign Nationals and Outsourcing
- Where will work be done?
- Where is the end-use?
- Access by a FN on-site to a database or file share with technical
data is still an export
- Use ACLs and/or Domains to grant appropriate permissions to employees
of U.S. citizen ship and foreign nationals.
- Consider physical badge colors and combinations to identify U.S.
citizens, contractors, and foreign nationals.
- Other considerations:
- Protect intranet web pages
- Exchange calendar settings and items
- Email chains
- Print outs, desk tops
- Teleconference lurkers
Posted by Marcin on Wednesday, April 4, 2007 in
Defense and
Security.
ITT was fined $100
million
for illegally exporting classified technical data relating to night
vision equipment overseas. In addition to being fined, they must "invest
$50 million over five years to accelerate development of night vision
technology, and the government will maintain rights to all technology
that is developed under the agreement."
This incident should raise awareness to all companies who manufacture or
develop export controlled commodities. In security, we need to ensure we
comply with all EAR/ITAR/AECA regulations and prevent unauthorized
exports to foreign nationals.
Q.) What is an export?
- Sending or transporting hardware, software, or technical data out of
the U.S. in any manner (e.g. hand-carry, web, courier, visually)
- Disclosing or transferring technical data to a foreign person by any
means whether in the U.S. or abroad ("deemed export")
- Release to a U.S. citizen employed by a foreign company, including
non-incorporated branches
- Providing technical support/service on behalf of or for the benefit
of a foreign person whether in the U.S. or abroad
Q.) OK then, what is technical data?
- Information that may be used in the design, development, manufacture,
repair, utilization, or reconstruction of articles or materials
- Blueprints and/or Specifications
- Manuals and/or Training
- Tours and/or Meetings
- Software and/or Algorithms
Q.) What is a foreign national?
- A person who is
- Not a U.S. Citizen, or
- Not a permanent resident alien ("green card"), or
- Has not been granted asylum or refugee status
- A U.S. citizen employed by foreign companies or governments
(including embassies)
Q.) Who can I not export to?
- OFAC regulations prohibit exports to sanctioned countries, denied
parties, etc. BIS entities and debarred parties list
If you have other questions, see your IP legal team or Business Area
Export Representative for advice that pertains to your environment and
what constitutes export controlled data for your business.
Posted by Marcin on Saturday, March 31, 2007 in
Defense,
Politics,
Security and
Tech.
I was watching an episode of It Takes a
Thief
on the Discovery Channel the other day that featured two skateboard shop
owners. The hosts had scouted the shop a day before, looking for video
cameras and other security equipment. The next day, they return and wait
for the store owners to leave. The entrance of the store is in the back,
away from the street in a secluded parking lot. A gray van meets pulls
in and meets up with the host of the show. They pull out a ladder and
climb in through an AC vent in the roof into the back store room. The
van had a banner on the side that said it was a roofing company, in case
anybody asked why they were on the roof. It took all of ten minutes to
break in and get out with close to $15,000 worth of merchandise and
skateboard gear. The store entrance had a "Closed Circuit TV" sticker on
the door, but no video cameras. It served as a deterrence, and there was
only a motion sensor near that front door.
When the police finally arrived and the store owners came to see what
happened, they were devastated. Had this been an actual robbery, they'd
be out of business. When the hosts and the tv show hooked them up with
the "latest" in security, the store owners were so happy they could
"just forget about" having to deal with it, now they had all this extra
equipment. Not so fast, the hosts told them they didn't want them to
forget because it was an ongoing process. Inventorying sale items,
security tapes, etc would need regular attention.
This show is great, as it puts a thief's mind in perspective to securing
your home or business. Both hosts were formerly professional
burglars/intruders who have now "turned good" to help people. If you
haven't seen the show, I recommend watching an episode.
Posted by Marcin on Friday, March 30, 2007 in
Security.
While at ShmooCon, I saw a fair share of rogue ap's pretending to be
shmoocon ap's. We worked to pull down these access points, but you can
never be sure. To help keep yourself from getting pwned, disable
wireless upon startup by commenting out your wireless interface. This
will prevent anybody from hacking your laptop (via wireless) before you
even see the login screen (if you boot to desktop) and also allow you
time to scan the wireless access points and decide which to connect to.
#begin /etc/network/interfaces
auto lo iface lo inet loopback
iface eth0 inet static address 172.16.2.123 netmask 255.255.255.0
gateway 172.16.2.1 network 172.16.2.0 broadcast 172.16.2.255
nameservers="172.16.4.5 172.16.4.6"
iface eth1 inet dhcp wireless-essid shmoocon
auto eth0 #auto eth1
#end /etc/network/interfaces
Posted by Marcin on Sunday, March 25, 2007 in
Linux and
Security.
